CVE-2025-65730
📋 TL;DR
This vulnerability allows attackers to bypass authentication in GoAway by forging JWT tokens using a hardcoded secret key. Any system running GoAway versions up to 0.62.18 is affected, potentially enabling unauthorized access to protected resources. The hardcoded secret is embedded in the source code, making it easily discoverable.
💻 Affected Systems
- GoAway
📦 What is this software?
Goaway by Pommee
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative privileges, access sensitive data, and execute arbitrary commands on affected servers.
Likely Case
Unauthorized access to protected API endpoints and data, potentially leading to data exfiltration or privilege escalation.
If Mitigated
Limited impact with proper network segmentation and additional authentication layers, though authentication bypass remains possible.
🎯 Exploit Status
The hardcoded secret is publicly visible in GitHub repositories, making exploitation trivial. Attackers only need to generate valid JWT tokens using the known secret.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.62.19
Vendor Advisory: https://github.com/pommee/goaway/releases/tag/v0.62.19
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop the GoAway service. 3. Update to version 0.62.19 or later using your package manager or by downloading from GitHub. 4. Restart the GoAway service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Implement External Authentication Proxy
allPlace GoAway behind a reverse proxy that handles authentication independently using a different secret or mechanism.
# Configure nginx or similar proxy with separate authentication
Network Access Restrictions
linuxRestrict access to GoAway instances using firewall rules to only allow trusted IP addresses.
iptables -A INPUT -p tcp --dport <goaway_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <goaway_port> -j DROP
🧯 If You Can't Patch
- Isolate affected systems from untrusted networks using strict firewall rules
- Implement additional authentication layers such as IP whitelisting or client certificate authentication
🔍 How to Verify
Check if Vulnerable:
Check the GoAway version. If it's 0.62.18 or earlier, it's vulnerable. Also check if the hardcoded secret 'goaway-secret-key' appears in the JWT signing code.Check Version:
goaway --version or check the application's version endpoint if availableVerify Fix Applied:
Verify the GoAway version is 0.62.19 or later. Confirm that JWT tokens signed with the old hardcoded secret no longer grant access.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access with unusual tokens
- JWT tokens with suspicious signatures or timestamps
Network Indicators:
- Unusual API access patterns from unexpected IP addresses
- Authentication bypass attempts to protected endpoints
SIEM Query:
source="goaway.log" AND (event="authentication_success" AND NOT user IN ["expected_users"]) OR (event="api_access" AND resource="protected_endpoint" AND NOT source_ip IN ["trusted_ips"])🔗 References
- https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730
- https://github.com/pommee/goaway/blob/v0.62.18/backend/api/auth.go#L48
- https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L110
- https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L15
- https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L40
- https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L69
- https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L88
- https://github.com/pommee/goaway/commit/5769f8782b7453ca1c22a201b224b5ce48532f64#diff-4ddfd6cf1311ddfd45734bb1dc53bc208df69584ba92ac4f38866bd558434678L15-L40
- https://github.com/pommee/goaway/releases/tag/v0.62.16
